The infamous malware operation Emotet has been recorded using direct installations of Cobalt Strike beacons to help it deliver faster cyberattacks. Considered by security researchers to be among the most prevalent for malware infections, Emotet is commonly distributed via phishing emails that carry malicious attachments.

In most documented cases, after a device is infected, the Emotet malware will steal a target’s email for use in future cybercriminal campaigns, before dropping further malware payloads, like Qbot and TrickBot.

Maliciously repurposing a security tool

In December 2021, Emotet was identified test-installing dedicated Cobalt Strike beacons once more on infected devices, rather than its regular payloads, like the aforementioned banking Trojans.

Cobalt Strike is actually a legitimate security tool originally designed for penetration testing. However, many threat actors have adopted it to move laterally throughout an organisation and often ultimately drop ransomware onto their network.

This test observed was brief, and the malicious actors then resumed distributing their typical payloads. Following the test, the Emotet group suspended their campaigns involving spam and phishing and ceased activity for a short period before returning in force with Cobalt Strike beacon installations on Emotet infected devices.

Cybersecurity experts monitoring the cybercriminal gang’s activity explained that Emotet has now started to download Cobalt Strike modules from its C2 (command and control) server and is executing them on devices carrying Emotet malware.

With the beacons installed directly by Emotet, threat operators who utilise them can spread laterally across a network, stealing files and deploying further malware packages, but more importantly, they will have instant access to these compromised networks.

In effect, the Cobalt Strike beacon speeds up how fast attacks can be delivered.

Seasonal attacks

Holiday periods often make ideal times for cyberattacks to take place. With most enterprises operating with limited staff numbers, systems are not always monitored as comprehensively, and attacks are responded to far slower. Threat operators are well aware of this and are renowned for launching campaigns and attacks during the holidays to increase the success rate of their attacks.

The Emotet malware communicated with the gang’s C2 via a fake JavaScript file. Every time the malicious software communicates with the attacker’s server, it attempts to download the file, which has a variable altered with brand-new instructions each time. Unfortunately, as for the most part, the file includes authentic jQuery source code, and with just some content altered, it can blend easily into legitimate data traffic, making it able to bypass many kinds of security software.

Once threat operators have gained a foothold in a company’s network, a data breach occurs, often followed by a ransomware attack to extort funds in cryptocurrency from the organisation.

The swift deployment of Cobalt Strike via Emotet is an important development, and experts are warning Chief Information Officers (CIOs) and network administrators to be on their guard, especially during periods of office downtime.

Following the increased distribution of Cobalt Strike modules to devices that are already infected with Emotet, the probability of a greater number of corporate data breaches and dedicated ransomware attacks in the coming months has increased substantially.

Help protect your enterprise from cyberattacks by using Galaxkey’s encryption services to shield data, which you can do a free 14-day trial.